North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: request for help w/ ATT and terminology
On Thu, 17 Jan 2008 17:35:30 -0500 [email protected] wrote: > On Thu, 17 Jan 2008 21:29:37 GMT, "Steven M. Bellovin" said: > > > You don't always want to rely on the DNS for things like firewalls > > and ACLs. DNS responses can be spoofed, the servers may not be > > available, etc. (For some reason, I'm assuming that DNSsec isn't > > being used...) > > Been there, done that, plus enough other "stupid DNS tricks" and > "stupid /etc/host tricks" to get me a fair supply of stories best > told over a pitcher of Guinness down at the Undergroud.. I prefer nice, hoppy ales to Guiness, but either works for stories.. > > *Choosing* to hardcode rather than use DNS is one thing. *Having* to > hardcode because the gear is "too stupid" (as Joe Greco put it) is > however "Caveat emptor" no matter how you slice it... > Mostly. I could make a strong case that some security gear shouldn't let you do the wrong thing. (OTOH, my preferred interface would do the DNS look-up at config time, and ask you to confirm the retrieved addresses.) You can even do that look-up on a protected net in some cases. --Steve Bellovin, http://www.cs.columbia.edu/~smb
|